S----h ransomware reboots PCs in Windows Safe Mode to bypass antivirus apps

Discussion created by elstaci on Dec 10, 2019
Latest reply on Dec 11, 2019 by hardcoregames™

 S----h ransomware reboots PCs in Windows Safe Mode to bypass antivirus apps | ZDNet 


Unlike most ransomware strains, the  S----h ransomware also steals files from infected networks.


By Catalin Cimpanu for Zero Day | December 9, 2019 -- 23:57 GMT (15:57 PST) | Topic: Security



The authors of the S----h ransomware are using a never-before-seen trick to bypass antivirus software and encrypt victims' files without being detected.


The trick relies on rebooting an infected computer into Safe Mode, and running the ransomware's file encryption process from there.


The reason for this step is that most antivirus software does not start in Windows Safe Mode, a Windows state meant for debugging and recovering a corrupt operating system.


However, the S----h crew discovered that they could use a Windows registry key to schedule a Windows service to start in Safe Mode. This service would run their ransomware in Safe Mode without the risk of being detected by antivirus software, and having its encryption process stopped.

The Safe Mode trick was discovered by the incident response team at Sophos Labs, who were called in to investigate a ransomware infection in the past few weeks. Its research team says this is a big deal, and a trick that could be rapidly adopted by other ransomware crews as well.


"SophosLabs feels that the severity of the risk posed by ransomware which runs in Safe Mode cannot be overstated, and that we needed to publish this information as a warning to the rest of the security industry, as well as to end users," Andrew Brandt, a malware researcher and network forensicator at Sophos said in a report pubished today.


S----h, another big-game hunter


Sophos researchers say this is the S----h crew's latest trick, but not its first. This particular ransomware gang has been operating since the summer of 2018, but to this day, very few have heard of this strain.


This happened because the S----h crew never targeted home users nor did it ever use mass-distribution methods like email spam campaigns or browser-based exploit kits -- two distribution channels that tend to get a lot of attention from cyber-security firms.


Instead, the S----h crew went only after a small list of carefully selected targets, such as companies and public or government organizations.


This type of targeting and methodology is known in the cyber-security field as "big-game hunting" and is a strategy that's been widely adopted by multiple ransomware crews today.


The idea behind big-game hunting is that instead of going after the small ransom fees malware authors can extract from home users, crooks go after large corporations and government organizations, from where they can ask for ransom fees that are hundreds of thousands of times bigger.


Ransomware like Ryuk, SamSam, Matrix, BitPaymer, and LockerGoga are your typicl big-game hunters.


S----h team seen recruiting hackers on hacking forums


All the ransomware gangs listed above have their own methodology for breaching their respective targets' networks, and so does S----h.


According to Sophos, the group buys their way into a company's network. Researchers say they tracked down ads the S----h team has posted on hacking forums, ads meant to recruit partners for their scheme.


According to a translation of the ad, the S----h team was "looking for affiliate partners with access to RDP\VNC\TeamViewer\WebShell\SQL inj [SQL injection] in corporate networks, stores and other companies."




Image: Sophos


The Sophos team says the S----h team would buy access to a hacked network, or work with another hacker to breach a desired company.


Once in, they rarely moved in right away to install the ransomware and encrypt files right away. Instead, the S----h team lingered inside a hacked company for days, or even weeks.


The hackers would bide their time and slowly escalate access to internal domain controllers, from where they'd spread to as many computers on an internal network as possible.


To do this, the S----h crew used legitimate sysadmin tools and penetration testing toolkits to get the job done, tools such as Cobalt Strike, Advanced Port Scanner, Process Hacker, IObit Uninstaller, PowerTool, and PsExec. Since these are common tools, most antivirus products failed to raise any alarms.


Once the S----h gang has all the access they need, they add the registry key and Windows service that starts S----h in Safe Mode on all infected hosts, and force a reboot of all workstations -- reboot that begins the file encryption process.

Stealing customer data


Furthermore, Sophos says that unlike most ransomware gangs who are primarily focused on encrypting files and asking for ransoms, they also found evidence the S----h crew also engaged in data theft.


This makes the S----h crew unique and highly dangerous, as companies also stand to lose from their data being sold or leaked online at a later date, even if they paid the ransom fee and decrypted their files.


This type of behavior is highly unusual and is likely to push S----h at the top of many lists of today's most dangerous ransomware strains.


But combing a company's internal network for files to steal takes time, and a reason why S----h has not made the same amount of victims as other "big game hunting" strains/gangs. The number of S----h victims is very small.


Coverware, a company that specializes in extortion negotiations between ransomware victims and attackers, told Sophos they've privately handled ransom payments for S----h ransomware infections on 12 occasions between July and October 2019. The payments ranged from $2,000 to $35,000, Coverware said.


Until today, the only known public case of a S----h ransomware infection was SmarterASP.NET, a web hosting company that boasted to have around 440,000 customers.


Sophos recommends that companies secure ports and services that are exposed on the internet with either strong passwords or with multi-factor authentication.


Since the S----h crew is also interested in experimenting with VNC, TeamViewer, or SQL injections, securing a company's network for these attack points is also a must.